Professional Documents
Culture Documents
Functional Safety - Sil: Electric Actuators For Safety-Related Systems Up To SIL 3
Functional Safety - Sil: Electric Actuators For Safety-Related Systems Up To SIL 3
Functional Safety - Sil: Electric Actuators For Safety-Related Systems Up To SIL 3
2
AUMA AUTOMATES VALVES
AUMA offers a broad portfolio of electric actuators qualified for AUMA automates valves 3
safety-related systems up to SIL 3. Our products contribute to the Risk reduction by functional safety 4
safe operation of technical systems all around the globe. Internation- Standards on functional safety 6
ally renowned test institutes have determined both safety figures and How to achieve functional safety 7
SIL capability for our products. Safety function and safety-instrumented system 8
Criteria for risk reduction 9
Besides a basic introduction to the functional safety topic, this Determining the SIL capability 12
brochure will provide you with detailed information on the SIL Improving the SIL capability 13
capability of AUMA products. AUMA products with SIL classification 15
AC. 2 actuator controls in SIL version 18
Further documents like certificates, inspection certificates, safety FQM fail safe unit in SIL version 22
figures, or our comprehensive manuals "Functional safety – SIL" are Determination of SIL capability for AUMA products 24
available on request or for download from our website This is support by AUMA 27
www.auma.com.
2021.03.09
3
Safety issues in modern industrial plants gain increasing impor- WHAT DOES FUNCTIONAL SAFETY MEAN?
tance, in particular for plants with high hazard potential within the
oil & gas sector, the chemical industry or in power plants. According to IEC 61508, functional safety relates to systems used to
carry out safety functions whose failure would have a considerable
Today, a clear trend to implement sophisticated safety systems interven- impact on the safety of both persons and the environment.
ing in case of failure can be noted, in particular to monitor processes
leading to potential hazards for both persons and the environment. In order to achieve functional safety, a safety function in the event of a
Such systems are used to shut down a plant in case of emergency, for failure must ensure that a technical system is led to or maintained in a
example, to cut off the supply of hazardous substances, provide cooling safe state.
or open overpressure valves. To reduce hazards emanating from a plant,
these systems must perform their safety functions in case of emergency In the process industry, functional safety does not deal with basic
and must not fail. dangers of a product or a system such as rotating parts for example,
but with hazards which might be caused by a system due to the failure
However, how can plant operators and device manufacturers guarantee of a safety function.
that the systems implemented work "safely" and meet the necessary
requirements? How can failure risks be assessed? A major objective of functional safety is to reduce the probability of
dangerous failures and consequently to minimise the risk for people and
The standards relating to functional safety, IEC 61508 and IEC 61511, environment to a tolerable level.
supply the answer. They describe methods for assessing the failure risks
of modern and often software controlled systems and for determining Altogether, functional safety – in combination with further actions such
the actions for risk reduction. as e.g. fire protection, electrical safety or explosion protection – signifi-
cantly contributes to the overall safety of a system.
4
WHAT IS SIL? AUMA'S ROLE WITHIN THIS CONTEXT
SIL is a term closely linked to functional safety. SIL is the abbreviation for AUMA products are implemented as components into systems which
Safety Integrity Level and a measuring unit for risk reduction with safety perform safety functions. For this reason and in collaboration with
functions. independent test authorities such as TÜV and exida, we examined of
which SIL our actuators, actuator controls and gearboxes are capable.
The higher the potential hazards from processes or systems, the more
demanding the requirements on reliability of safety functions. On the basis of the determined safety specifications and figures, plant
designers can select the suitable devices for the requested safety
IEC 61508 defines four different safety integrity levels, SIL 1 through integrity demands.
SIL 4.
SIL 4 has the highest level of safety integrity and SIL 1 the lowest. For
each level, specific target failure probabilities are defined which may not
be exceeded by the safety function.
5
STANDARDS ON FUNCTIONAL SAFETY
Industrial accidents with disastrous consequences such as the Seveso This standard includes the application-specific implementation of IEC
dioxin disaster in 1976, or the Indian Bhopal gas tragedy in 1984, put 61508 for the process industry, in particular the chemical and petro-
the worldwide standardisation processes with regard to the safety of chemical industry. It defines the requirements for safety-related systems
technical systems into gear. used in the process industry for risk reduction. It also uses safety
integrity levels SIL 1 to SIL 4 as a measure for the required risk reduc-
At EU level, first the Seveso I, Seveso II and later the so-called Seveso-III- tion.
directive 2012/18/EU on the control of major accident hazards involving
dangerous substances were issued. These directives aim at the protec- This standard mainly addresses consultants and plant operators.
tion of persons, environment and material assets as the primary
objective. Furthermore, definite instructions were given for systems with
high hazard potential. IEC 62061
National standards on functional safety were first created within this Dealing with the safety of machinery, the requirements on functional
context. The first international standard was issued in 1998 with the safety derive from IEC 61508. IEC 62061 uses safety integrity levels
IEC 61508. SIL 1 to SIL 3.
IEC 61508 is one of the most important international standards EN ISO 13849
applicable to functional safety for electrical, electronic or programmable
electronic components (E/E/PE) executing safety functions. The EN ISO 13849 on the safety of machinery is about the safety require-
requirements by the standards are transferred to other e.g. mechanical ments on design and integration of safety-related parts of control
components where appropriate. A new edition of this standard has systems. It provides a classification according to performance levels (PL).
been available since 2010. PL is a measure for reducing the risk arising from the machine. Perfor-
mance levels are classified from “a” to “e” where "e" represents the
As a generic basic standard, it is addressed to consultants, operators highest PL.
and device manufacturers and is supplemented by further application
specific standards such as IEC 61511 for the process industry. Functional safety in compliance with EN ISO 13849 is often a require-
ment within hydropower and civil engineering constructions for water
Concept of risk reduction applications.
The objective of safety-related system implementation is to reduce risks
generated by processes and plants. Generally, the standard assumes
that it is impossible to exclude all potential risks. However, it offers
methods for risk analysis, risk reduction and evaluation of the residual
risk.
6
HOW TO ACHIEVE FUNCTIONAL SAFETY
SAFETY-RELATED ASSESSMENT
First of all, the risks emanating from a system or process will have to Selection of appropriate components
be analysed to achieve functional safety. The standards IEC 61508 and Depending on the required SIL, components for implementing the
61511 supply a recognised method for risk evaluation. safety function will be selected.
Differentiated safety-related assessments are used to identify the To facilitate this procedure, device manufacturers like AUMA have their
processes leading to actual hazardous events. Consequently, focus can devices tested for classification in compliance with the available safety
be placed on taking risk reducing actions wherever truly needed. integrity levels.
Hazard potential Probability of unwanted occurrence Example of a risk graph for a safety-related assessment in compliance with
IEC 61508/61511
C F P W3 W2 W1
C1 - - - C Consequences
C1 Minor injury of a person or minor hazardous environmental impacts
C2 Serious permanent injuries or 1 death
C3 Death of several persons
P1 SIL 1 - - C4 Multiple deaths
F1 F Avoidance of hazard
F1 Possible under certain circumstances
F2 Almost impossible
P2 SIL 1 SIL 1 -
P Exposure time of a person at the hazardous location
C2 P1 Rare to frequent
P2 Frequent to permanent
P1 SIL 2 SIL 1 SIL 1
W Probability of unwanted occurrence
A F2 W3 Relatively high
W2 Low
P2 SIL 3 SIL 2 SIL 1 W1 Very low
C3
C4 - SIL 4 SIL 3
7
SAFETY FUNCTION AND SAFETY-INSTRUMENTED SYSTEM
Safety instrumented functions (SIF) are protective actions activated in A safety function is implemented by the components of the Safety
case of failure to avoid damage of persons, environment and material Instrumented System (SIS). Such a system generally consists of the
assets. Functional safety is achieved if safety functions work reliably in following components: sensor, host safety PLC and actor. In the valve
case of failure. sector, the actor combines actuator and valve.
A typical safety instrumented function is the automatic safety shutdown When assessing whether a safety instrumented function achieves the
of a process. required SIL, systematic capability as well as the safety figures of all
individual components of the safety instrumented system are consid-
In the valve sector, the following safety functions are of crucial ered.
importance:
2
Components of a typical
safety instrumented
1 system
1 Sensor
2 Safety PLC
3 Actor, in our example
consisting of actuator
and valve
8
CRITERIA FOR RISK REDUCTION
When analysing the potential hazards of a process, the SIL to be SYSTEMATIC CAPABILITY
met is determined for each safety instrumented function. Interna-
tional standards IEC 61508 and IEC 61511 define the three main The systematic capability (SC) is to ensure that a component is generally
criteria the safety instrumented function or the SIS has to comply suitable for an SIS with a specific SIL requirement. IEC 61508 defines
with to meet the required risk reduction: different methods:
> Systematic capability > The first method (Route 1S in the standard) requires that certain
> Permitted average probability of failure on demand procedures are heeded during development, manufacture and
> Architectural constraints maintenance etc. Thus, systematic faults, like, for example, incorrect
sizing or design faults in components are avoided. This method is
The criteria are explained in the following. predominantly applied to devices to be newly developed.
> The second method (route 2S) is based on the evaluation of field
data to obtain evidence that the components are proven in use and
to prove the required reliability. This method is in particular applied
to device types existing for quite some time and for which a
multitude of field data is available.
9
CRITERIA FOR RISK REDUCTION
Low demand mode Architectural requirements must be met on element level. For the final
In low demand mode of operation, the safety function is requested element, consisting of actuator and valve, it has proved reasonable to
maximum once a year. Typically this applies to safety functions for the consider this combination as single element.
process industry using actuators.
Safe Failure Fraction (SFF)
Only the safety function is taken into account here. An actuator used to The SFF value (Safe Failure Fraction) describes the fraction in percentage
perform a safety function as well as "conventional" opening and closing of safe and detected dangerous failures related to the total failure rate.
actions may of course open or close a valve more often during normal Failures are considered safe if their occurrence either bring the system
service. A system failure requiring safe valve closing must however not into a safe state or maintain the system in the safe state.
be expected more than once a year.
The higher the value, the lower the probability of a dangerous system
Allowed PFD values for low demand mode failure.
Safety Allowed PFDavg Theoretically allowed failures
integrity value for a safety function Hardware fault tolerance (HFT)
level (low demand) on demand HFT (Hardware Fault Tolerance) is the ability of a functional element to
SIL 1 ≥ 10-2 to < 10-1 Allows one dangerous failure in 10 years further perform a required safety function in spite of the presence of
SIL 2 ≥ 10-3 to < 10-2 Allows one dangerous failure in 100 years
faults or deviations.
SIL 3 ≥ 10-4 to < 10-3 Allows one dangerous failure in 1,000 years
SIL 4 ≥ 10-5 to < 10-4 Allows one dangerous failure in 10,000 years
A hardware fault tolerance of N means that
High demand mode and continuous mode N + 1 faults could cause a loss of the safety function. For example with
In high demand mode, the safety function is requested more than once a hardware fault tolerance of 0, a single fault can lead to the failure of
a year. In continuous mode, the safety function is continuously working. the safety function.
The basic safety calculation parameter for these two operation modes is In general, HFT can be increased by creating a redundant system
the probability of failure per hour and indicated as PFH value. architecture (please also refer to page 13).
In a first step, PFD and PFH values are calculated for each component of
a safety instrumented system. A safety integrity level describes the
characteristics of a complete safety function and not of the mere
individual component. For this reason, the total value must then be
calculated for the safety function on the basis of the PFD or PFH values
of the individual components.
10
The following parameters are required for
the assessment of the different risk
Device type reduction criteria:
IEC 61508 distinguishes between simple and complex devices.
The PFD value can be improved by reducing the time between two
proof tests.
11
DETERMINING THE SIL CAPABILITY
It is always the SIL capability of the entire SIL CAPABILITY OF A SAFETY FUNCTION
safety instrumented system that is crucial
to the safety of a safety function. When assessing and classifying a safety function in compliance with IEC 61508, all three major
criteria should be considered. Systematic capability, probability of failure on demand and
architectural constraints, are decisive. The respective values for the individual components of the
SIS have to be considered.
It is imperative to observe that the achievable SIL is always the lowest SIL achieved by the three
individual assessments:
Example of determining the maximum achievable SIL of a safety function (for single-channel system architecture)
SC SC SC SC Systematic capability
Sensor Safety PLC Actuator Valve Safety function
Route 1S Route 1S Route 1S Route 2S
SIL 2
SC = 2 SC = 3 SC = 3 SC = 2
PFD value PFD value PFD value PFD value Total PFD value
Sensor Safety PLC Actuator Valve Safety function
3.63 x 10–3 + 1.84 x 10–3 + 2.28 x 10–3 + 2.92 x 10–3 = PFD = 1.07 x 10-2
Overall assessment
Safety function
SIL 1
12
IMPROVING THE SIL CAPABILITY
Should the assessment show that the selected hardware compo- REDUNDANCY
nents do not achieve the requested SIL, then SIL capability can be
improved by additional actions such as diagnosis and redundancy. Redundant system architecture is used to increase the probability that
the safety function is performed in case of emergency. Two or more
devices of a safety-related system are subjected to redundant operation.
PARTIAL VALVE STROKE TEST (PVST)
Depending on the safety requirement, different MooN ("M out of N")
The partial valve stroke test is performed to regularly verify device configurations may be feasible. For a 1oo2 ("one out of two") configu-
functionality. Actuator or valve travel a predetermined distance back ration, one out of two devices is sufficient to perform the required
and forth. Thus testing the operation of the actuator. safety function. 2oo3 ("Two out of three") configuration implies that
two out of three devices must function properly.
PVST is a recognised method to increase the availability of individual
components of a safety function. By means of preventive diagnostics, A redundant system architecture can increase hardware fault tolerance
some safety-relevant faults may be detected before they can prevent or (HFT) and consequently SIL capability. In general, a redundant system
impair the execution of a safety function; the probability of failure on structure is implemented for SIL 3 applications according to IEC 61511,
demand decreases. e.g. 1oo2.
Redundant system for Safe OPENING Redundant system for Safe CLOSING
13
AUMA PRODUCTS WITH SIL CLASSIFICATION
1 For these products, safe end position feedback is not included in the certificate. A declaration of incorpo-
ration has been issued instead.
14
AUMA PRODUCTS IN SFC VERSION
With the actuators, actuator controls and gearboxes in SFC (Safety Figures Calculated) version, AUMA offers a wide product portfolio for medium
and low safety requirements. In close cooperation with exida, AUMA has determined the safety figures for these products within the framework of
a hardware assessment based on field experiences and/or generic data. A declaration of incorporation by the manufacturer is available for these
products. They offer higher flexibility with regard to configuration options as well as investment cost.
SA and SQ actuators without actuator controls Actuators with AM .1 or AC .2 actuator Safety figures were also determined for AUMA
are up to SIL 2 capable for the safety functions controls are up to SIL 2 capable in the GK and GS .3 gearboxes. The gearboxes
considered. versions considered. considered are up to SIL 2 capable.
> Safe operation in direction OPEN/CLOSE > Safe end position feedback > Safe operation in direction OPEN/CLOSE
> Safe standstill
> Safe end position feedback WSH LIMIT SWITCHING DEVICE
IN SFC VERSION
For these versions, control functions have to
be supplied by the customer. WSH manual gearboxes with electromechani-
cal control unit are SIL 1 capable.
Safety functions:
15
AUMA PRODUCTS WITH SIL CLASSIFICATION
The safety-related figures and thus the SIL capability depend on the Safe CLOSING
safety function performed by the device in case of emergency, with the Example of an overfill protection for oil tank
objective to achieve safe system state. In tank farms, the standard tank filling systems are often protected by
additional safety systems designed to prevent overfilling. A safety PLC
AUMA actuators are suitable for the following safety functions: continuously monitors the filling level within the tank via specific
sensors. Once a limit is exceeded, the safety PLC sends an emergency
Safe OPENING/Safe CLOSING shutdown (ESD) signal to the actuator of the SIS and the valve will be
(Emergency Shutdown, ESD) closed.
Upon request of the safety function, the actuator travels in direction
end position OPEN or end position CLOSED. Safe end position feedback and safe STOP
Example of a lock
These safety functions can generally be combined with a Partial Valve Locks are a good example for presenting different safety functions:
Stroke Test (PVST) as additional diagnostic measure.
For instance, it has to be ensured that the lock gates on one side are
Safe Torque Off, STO completely closed prior to opening the other side. This can be
often called Safe STOP or Stayput implemented using an actuator with safe end position feedback
Upon request of the safety function, the actuator motor is disconnected combined with a safe STOP function as locking function. The locking
from the mains. Undesired motor starts from standstill are prevented. function ensures that a movement of the lock gate is only enabled if
the "Safe STOP" signal is not applied.
Safe operation in direction OPEN/CLOSE
This safety function is executed by actuators without actuator controls If a ship is between the opened lock gates, the Safe STOP safety
and by gearboxes. On demand, the actuator runs in the respective function can reliably stop the closing of the lock.
direction. The valve position is, however, not indicated here.
16
OVERVIEW OF AUMA PRODUCTS WITH SIL CLASSIFICATION
Upon request, AUMA will provide you with test reports for all SIL classified AUMA products.
17
AC. 2 ACTUATOR CONTROLS IN SIL VERSION
With the AC .2 actuator controls in SIL version, AUMA provides TÜV CERTIFICATE FOR SIL 2/SIL 3 APPLICATIONS
modern controls for safety-related systems up to SIL 3. Safety
functions are exclusively executed via the safe SIL module. You will appreciate the variety of functions and setting options when
During standard operation, all AC .2 functions are available. familiarising with AC .2 actuator controls. Freely configurable parallel
and fieldbus interfaces allow swift integration into sophisticated
distributed control systems. AC .2 controls are ideally suited to complex
control functions. Additional diagnostic functions like operating data
logging and lifetime factor monitoring increase safety and availability of
the actuator.
Thanks to the SIL module developed by AUMA, these functions can also
be used for SIL 2 and SIL 3 applications. SA and SQ actuators equipped
with AC .2 in SIL version are certified by TÜV Nord and approved for
safety-related systems up to SIL 3 (SC = 3, SIL 3 in redundant version
1oo2/HFT = 1).
18
THE SIL MODULE TYPICAL SYSTEM ARCHITECTURE
The SIL module consists in an additional electronic board, responsible Actuators with AC .2 actuator controls in SIL version offer various
for executing the safety functions. This board is used in AC .2 and options for system architecture:
ACExC .2 actuator controls in addition to the standard logic.
Physically separated SIS
The SIL module integrates comparatively simple components such as In most cases, an SIS is completely physically separated from standard
transistors, resistors and capacitors for which the failure modes are process control. This means that an actuator with AC .2 in SIL version is
completely known. Therefore, AC .2 in SIL version is classified as a exclusively designated for the execution of the safety function. A
type A device. Determined safety figures allow implementation in SIL 2 second, standard version actuator will operate the valve during normal
and even in SIL 3 (SC = 3) applications (provided the availability as operation.
redundant architecture – 1oo2).
Combination of SIS and normal operation
An actuator with AC .2 actuator controls in SIL version can generally be
PRIORITY OF THE SAFETY FUNCTION used for both execution of the safety function and process control
during normal operation: AC .2 is controlled via two host controls (PLC),
If a safety function is requested in the event of an emergency while a standard PLC and a safety PLC classified as SIL approved PLC.
some functions are executed via the standard logic, the standard logic
of AC .2 will be by-passed and the safety function be performed via the However, additional requirements to be observed for both design and
SIL module. The safety functions always overrule standard operation. integration have been defined in IEC 61511 for this specific application.
Actuator
19
AC. 2 ACTUATOR CONTROLS IN SIL VERSION
CONFIGURATION OPTIONS
> Safe OPENING/CLOSING combined with Safe STOP > Forced torque seating
In this case, Safe OPENING/Safe CLOSING function is prioritised. Actuator only stops when reaching the set end position and the
preset torque end position.
In addition, safe end position feedback via actuator is possible.
> No seating
In this instance, torque and limit switches are by-passed to force
valve opening or closing. To avoid motor burn-out, we recommend
using AC .2 in SIL version with thermal protection function.
20
MONITORING ACTUATOR OPERATION DISPLAY SUPPORT
Electromechanical monitoring of actuator operation via the SIL module Any information about the SIL module status, like performing a safety
is used to test system reliability. If the actuator does not start within a function or presence of a SIL collective fault signal, are indicated by
predefined time after an operation command, the SIL module activates means of symbols and texts on the AC .2 display.
the SIL collective failure signal.
The SIL module provides three safe inputs and two safe outputs:
SIL status: 1
Safe ESD
21
FQM FAIL SAFE UNIT IN SIL VERSION
Availability of the safety function even during power failure is EXIDA CERTIFICATE FOR SIL 2/SIL 3 APPLICATIONS
often requested.
FQM fail safe units in SIL version were certified by exida and may be
With the FQM fail safe unit, AUMA offers innovative and safe used for safety related applications up to SIL 2 for single-channel
actuation solutions for opening or closing valves in case of system architecture and up to SIL3 for redundant system architecture.
emergencies during power failures.
The FQM fail safe unit is always used in combination with an SQ
part-turn actuator and AC .2 actuator controls. The fail safe unit is also
available in an explosion-proof and fireproof version.
22
MECHANICAL SOLUTION FOR UTMOST SAFETY FUNCTIONS INITIATION OF A FAIL SAFE OPERATION
SAFETY
The following safety functions can be imple- The following criteria for initiating fail safe
The innovative technology offers various mented by means of the FQM fail safe unit in operation are possible for a fail safe unit in SIL
advantages: The torque required in an SIL version: version:
emergency is provided via the energy mechan-
ically stored in a constant force spring. No > Safe OPENING/CLOSING > Emergency Shutdown (ESD) signal of a
electrical power is required for fail safe (Safe ESD, Emergency Shut Down) safety PLC
operation. FQM fail safe unit runs to configured end > Power failure OR ESD signal of a safety PLC
positions OPEN or CLOSED. For single-
The constant force spring motor provides a channel system architecture, this safety Fail safe operation is directly initiated within
constant torque during fail safe operation function achieves SIL 2 (SC = 3, 1oo1/HFT = the FQM. This is independent of AC .2 actuator
across the complete travel. During standard 0) and for redundant system architecture SIL controls. The constant force spring is activated
operation, the constant force spring is 3 (SC = 3, 1oo2/HFT = 1). during fail safe operation and transmits the
disengaged and is not operated. As a generated torque to the valve by means of a
consequence, actuator sizing can be relatively > Safe end position feedback planetary gearing.
small. Safe end position feedback in accordance
with SIL 2 can be achieved for single-
Another advantage is the adjustable operating channel system architecture via SIL qualified
speed: It will be be reduced prior to reaching end position switches within the FQM fail
the end position so that the valve is operated safe unit. The signal can also be read in case
slowly and softly into the end position. This of actuator power failure.
avoids pressure peaks within the pipeline and
protects the valve.
23
SIL capability was determined to allow sound and reliable state- Hardware assessment
ments about suitability of AUMA products for safety relevant Assessment for existing AUMA products was made by hardware
applications. IEC 61508 standard suggests two procedures which assessment based on field experience. This includes SA and SQ
differ: Hardware assessment and complete assessment. actuators as well as GK gearboxes, for example. For further information,
please refer to page 25.
Complete assessment
The newly developed AC .2 actuator controls in SIL version and FQM fail
safe unit in SIL version have been subjected to complete assessment.
The relevant fault-avoiding measures in compliance with IEC 61508
were applied in all phases of the product life cycle, from product
specification right through to decommissioning. For further information,
please refer to page 26.
24
HARDWARE ASSESSMENT OF PRE-EXISTING PRODUCTS AND SUB-ASSEMBLIES
Safety figures are determined for the various components which are This analysis is made in defined steps, recorded and transparent at any
used to perform SIL classification. time.
Failure rates λ
of system components
FMEDA
Classified system
failure rates
λsafe λDangerous Detected λDangerous Undetected
Determination of
safety figures
PFDavg SFF HFT DCD
25
COMPLETE ASSESSMENT FOR NEW DEVELOPMENTS
AC .2 actuator controls in SIL version and FQM fail safe unit in SIL Functional Safety Management System
version are new developments subjected to complete assessment in For avoidance of systematic faults, AUMA uses a Functional Safety
compliance with IEC 61508. Management (FSM) system. The FSM system can be considered as
extension to a quality management system. Rules and definitions
AC 01.2 in SIL version was certified by TÜV Nord and FQM in SIL version described within the framework of this system are used to avoid
by exida. potential fault sources to the greatest extent possible. Furthermore
actions are taken to detect and eliminate all remaining systematic fault
What was tested? sources in due time to prevent the occurrence of hazardous situations.
Compared to mere hardware assessment of pre-existing products, the
overall assessment includes tests and certifications of development and Determining the safety figures
production procedures for systematic fault avoidance where possible. The remaining random faults in spite of all risk reduction actions are
subject to quantitative recording for assessing the residual risk. For this
Generally speaking, systematic faults are faults occurring e.g. during purpose, safety figures such as the probability of failure for the products
specification, development, production, commissioning, operation or are determined and provided to the customer.
maintenance. They are basically avoidable.
At AUMA, this procedure is identical to the mere hardware assessment
(refer to page 25).
26
ASK OUR EXPERTS USE OUR DOCUMENTATION
Selecting the right component for the implementation of a safety AUMA provides detailed and comprehensive material on functional
instrumented system is always challenging; merely calculating the safety.
probability of failure is not sufficient. The individual marginal condi-
tions have to be examined and assessed. You may request the following documents from AUMA:
Our experts look back on long standing experience with the use of > Declarations of incorporation
electric actuators in safety instrumented systems. We are pleased to > Safety figures
assist you in designing your SIS or selecting the appropriate actuator. > Safety manuals with checklists
27
AUMA Riester GmbH & Co. KG
Aumastr. 1
79379 Muellheim
Germany
Tel +49 7631 809-0
Fax +49 7631 809-1250
info@auma.com
Subject to changes without notice. The product features and technical data provided do not express or imply any warranty. Y004.602/003/en/1.21